Tag: silvio micali

Exclusive: Blockchain Trilemma Solved? Secrets Revealed by Turing Award Winner's Algorand

Blockchain trilemma was initially expressed by Vitalik Buterin, founder of Ethereum, which is claimed to be unfeasible in achieving scalability, decentralization, and security simultaneously in a blockchain.

There are numerous blockchain project teams attempting to address the blockchain trilemma, and the Turing Award-winning team Algorand is one promising candidate. We have the pleasure to speak with Jing Chen, Chief Scientist of Algorand, on how Algorand attempts to solve the blockchain trilemma with its Byzantine agreement. She also explains why Algorand is non-forkable and the restrictions on Algorand’s adversary model!

1. Blockchain trilemma has been a headache for project teams in the public blockchain. How Algorand can solve the blockchain trilemma?

The alleged “trilemma” says that among three important properties – decentralization, scalability and security, a public blockchain can hope to achieve just two of them, at most. This is not a mathematically-proven impossibility. Rather, it is used to emphasize the difficulty of achieving all three simultaneously. We believe it’s important for a public chain to achieve all three, and the Algorand blockchain does just that.

Decentralization

Decentralization is made possible by Algorand’s permissionless, pure proof-of-stake consensus protocol. A user does not need permission to join the system or participate in the consensus, so no central control is present at the entry phase. A participating user’s voting power in the consensus protocol is directly proportional to their number of tokens, and having multiple users accumulate their tokens to one account does not increase their joint voting power at all. This eliminates the need to form “mining pools”. Moreover, the cost for a user to run a node in the system is very low, and a user doesn’t need specialized hardware in order to participate. This makes the system friendly to “small” users and helps with decentralization.

Scalability

The key to scalability lies in Algorand’s Byzantine agreement. Its safety does not rely on preset lower-bounds on how fast blocks should be generated (e.g., 10 minutes, 5 minutes, etc). Blocks can be generated as fast as messages can be propagated in the network. In typical cases, only one voting step is needed before a block can be certified, and it only takes a few seconds to generate a block. No computational resources are wasted solving cryptographic puzzles, making the system cost-efficient. For every block, only a small committee is selected to vote, and the size of the committee stays almost unchanged as the number of users and nodes grow in the system, making the system scalable to any number of users. What’s more, Algorand’s novel cryptographic self-selection technique ensures that no direct communication is needed among the selected committee members themselves, reducing the system’s communication cost and making it scalable to global crossing-continent networks. Cryptographic self-selection is also a key technology for the security of Algorand’s blockchain, as discussed below.

Security

Indeed, Algorand’s Byzantine agreement is designed based on first principles rather than heuristics, and its security is proved via rigorous mathematical analysis. Cryptographic self-selection ensures that no one knows who is selected to vote for a block until after a selected user sends out his voting message. Thus an attacker doesn’t know who to target beforehand. After seeing a user’s voting message, an attacker realizes that this user is selected. However, even if the attacker can corrupt this user at this point, it’s too late because their voting message is already propagated to the network. The voting committee is re-selected every step, and corrupting selected users doesn’t make the attacker better off in the future than corrupting un-selected users.

Moreover, forward security (also referred to as forwarding secrecy) is important in a system that lasts for a long time and generates blocks continuously one after another. An attacker may try to corrupt users who were in charge of voting for an earlier block, “go back in time” and have these users generate a different block in that same round, thus creating a fork. Ephemeral keys are used in Algorand blockchain against such attacks and ensure forward security. Each voting message in the protocol is signed using a voting key that is deleted after its job is done, thus the name “ephemeral”. With this method, even in the future, if an attacker manages to corrupt all users that were in the system in an earlier round, they do not have their voting keys to generate any block that is different from the existing ones.

It’s worth pointing out that, achieving security without requiring liveness is trivial and meaningless —users simply do not generate any blocks and the system is perfectly secure. The Algorand blockchain achieves both security and liveness against a very powerful adversary. We’ll get to the adversary model in a later question.

2. It is said that Algorand’s blockchain is non-forkable. Can you elaborate on how it happens?

In Algorand’s consensus protocol, when selecting committee members for generating a block in a given round, the selection rules and parameters are designed in such a way that, if one block has accumulated enough votes from committee members, then no other block for the same round will accumulate enough votes. This is true even when the attacker was the one who proposed the blocks, even when the attacker managed to partition the network —splitting users into several disconnected groups and fully controlling the communication among them. In such cases, after a block has been generated (that is, gotten enough votes from proper committee members), honest users may not immediately realize this fact. However, the messages that they have seen tell them that this particular block “may have” gotten enough votes and that they should not vote on any other block. Therefore, no two blocks from the same round will both accumulate enough votes. This holds true even when the network is partitioned for an indefinite amount of time and no one knows when it will be resolved. Nonetheless, Algorand’s blockchain doesn’t fork and users’ balances remain secure.

Again, both safety and liveness are needed for a blockchain. Algorand’s Byzantine agreement not only doesn’t fork, it also guarantees liveness when the network is not partitioned and recovers liveness after a network partition is resolved.

3. What are the restrictions on Algorand’s adversary model? 

The Algorand blockchain is secure against a very powerful adversary, who can corrupt any specific user they choose, fully control the behavior of that corrupted user, and perfectly coordinate the behavior of all corrupted users. For example, malicious behavior includes but is not limited to – signing contradicting voting messages, double-spending, sending their messages only to specific users at specific times, inaction, etc. It is required that an adversary does not control more than 1/3 of the total stakes participating in the consensus protocol.

4. In Algorand, bad actors will not be punished as there is math to show that wrongdoing is not costly to the system. Can you elaborate on the math?

As mentioned earlier, Algorand’s consensus protocol is secure against an adversary who controls no more than 1/3 of the total stakes. The core techniques have been discussed in earlier questions (e.g., #1 and #2).

5. Transaction per second (TPS) is often used to measure the scalability of the public blockchain. What are the technological breakthroughs for Algorand to achieve high TPS?

Algorand’s scalability is made possible by a combination of cryptographic techniques and its efficient Byzantine agreement. See #1 for more details.

Part 2 of the interview is coming up, stay tuned!

Exclusive: How to Ensure Random Numbers in Public Blockchain?

Following Part 1 of our interview, Jing Chen of Algorand further teaches our readers on how to ensure the randomness of a number in public blockchain! She also evaluates the existing Proof-of-Stake (POS) protocols: Delegated VS Bonded VS Pure POS!

Regarding the white paper “Digital Signatures for Consensus” published on March 9, 2019, it states that the signature equation contains a random value r. How do you ensure a random number is really random in the public blockchain?

Randomness is used to select committee members for block generation in Algorand’s pure proof-of-stake consensus protocol. This is done through Verifiable Random Functions (VRF).

The seed of the VRF is generated by block proposers and may depend on the state of the blockchain thus far. The adversary cannot predict the randomness before seeing the block proposer’s message, thus cannot pre-strategize based on it. The randomness used in the protocol is updated every round, and seeing the randomness for the current round does not help an adversary predict the randomness used in future rounds. Similar schemes can be used to generate randomness for other purposes, including digital signatures.

What are the problems of delegated proof-of-stake (DPOS) and bonded proof-of-stake?

While delegated and bonded proof-of-stake approaches are more environmentally conscious – as they do not require the large computation power as found in a proof-of-work system in order to mine a block – they are still centralized by design.

In delegated proof-of-stake, a fixed number of selected entities, or delegates, are selected to generate blocks. Delegates are voted into power by the users of the network, who each get a number of votes proportional to the number of tokens they own on the network (i.e., their stake). However, once delegates are selected, they remain in position for a long time, which inherently makes the system more centralized. Further, there is no guarantee that all delegates will remain honest. And even if their honesty was certain, because their identities are known, they become obvious targets for attackers.

In bonded proof-of-stake, a user’s voting power is proportional to the number of tokens he is willing to “lock-up” —that is, put aside without touching for a long time. If he is caught taking malicious actions within the system, then these tokens may be confiscated. This inherently puts “small” users at a disadvantage, as they may need their tokens frequently and can’t afford to lock a large amount up for a long time. Users with a large total stake, on the other hand, are often more willing to do so, causing the voting power in the system to skew disproportionately towards them.

In comparison, Algorand’s Pure Proof-of-Stake (PPoS) approach randomly selects users in charge of block generation. The randomized selection happens not only per block but actually along every step of the Byzantine agreement per block. Every user may be chosen to propose and vote on blocks. The selection probability is directly proportional to a user’s total stake rather than the stake he is willing to lock up. The protocol does not ask a user to lock up any stake in order to participate, neither does it confiscate a user’s stake.

Why Dutch auction is adopted to determine the token price of Algorand?

The Algorand Foundation is responsible for the distribution of Algos—the native token of the Algorand platform. Algos will initially enter circulation through a sequence of Dutch auctions due to three main benefits they specifically provide – fairness, transparency, and convenience.

A Dutch auction lets the market determines the fair price of tokens rather than having the price set by any specific entity. Also, in a Dutch auction, the token price is the same for all participants who have won any amount of tokens, treating participants fairly.

A Dutch auction is convenient for the users to participate in online. Indeed, during such an auction a user does not need to remain online the entire time. They can make a bid and then move offline, and even return online to make another bid later on.

Finally, auctions are conducted on the Algorand blockchain for transparency. All bids are placed on the blockchain, so everybody can verify that the auction has been conducted properly.

Knowing that most of the dApps in public blockchains related to gaming, how Algorand can attract blockchain developers from existing leaders such as EOS and Tron?

Algorand’s technology stands out in decentralization, scalability, and security. We are committed to building a truly permissionless and decentralized public blockchain; a vision shared by many blockchain developers. The Algorand blockchain offers and will continue to offer many unique features where true technology plays. I invite readers to look at our blog posts on Algorand’s roadmap.

For example, as the Algorand blockchain doesn’t fork, it provides immediate transaction finality. After seeing a newly generated block containing a specific transaction, a user doesn’t need to wait for several other blocks to be generated following it before he can safely rely on that transaction. This is critical for time-sensitive applications, as there is no need to make a tradeoff between having a short confirmation time for transactions and risking certain transactions disappearing from the chain.

Exit mobile version